A flaw has been identified in Microsoft’s Active Directory Federation Services (ADFS) that permits multi-factor authentication (MFA) to be bypassed with ease. The flaw is being monitored as CVE-2018-8340 and was noticed by Andrew Lee, a security researcher at Okta.
ADFS is used by many groups to help secure accounts and ADFA is used by vendors including SecureAuth, Okta, and RSA to add multi-factor authentication to their security products.
To exploit the flaw a hacker would need to obtain the login details of an employee and have a valid second factor authentication token. That token could then be used as authentication to log onto any other person’s account if their username and password is known.
A threat actor could easily obtain a username and a password by carrying out a phishing campaign. The amount of phishing attacks on healthcare groups that have been reported recently show just how easy it is to fool employees into disclosing their login details. A strong attempt on an account with a weak password would also be successful.
Obtaining the second factor token is a little more complicated. The second factor is often a mobile phone number or email address or a smart card PIN number. That data could also potentially be obtained through phishing or through a successful attempt to get the IT help desk to change a user’s MFA token.
The flaw would be simple to exploit by an insider, since that person would already have a valid MFA token registered on the system. All that would be need to gain access to the account of another employee would be their username and password.
The flaw is due to the way ADFS communicates during a login. When an effort is made to login, the server sends an encrypted context log which includes the MFA token. However, the context log does not include the username, so no check is carried out to ensure the MFA token is being used by the correct person. If a hacker used a browser to gain access to an account using a known username/password and MFA token, and a second browser with just a username and password but no MFA token, a sole MFA token could be used to obtain access to both accounts.
Two-factor authentication is a vital security control that can stop unauthorized account access even if a threat actor has successfully obtained login credentials, although this flaw indicates that the system is not impenetrable.
The system weakness has now been addressed in Microsoft’s Patch Tuesday updates on August 14. Healthcare organizations should ensure that the patch is applied quickly to ensure their MFA controls cannot be easily skipped past.